Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
64s -
max time network
75s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
07/05/2023, 20:13
General
-
Target
482559cc18c7643abbb36012d13dc66fbd0314577e70cd41fefe6c9a16f822a5.exe
-
Size
479KB
-
MD5
ac4bb9ef2e1e9c1749a8ac6c3c85ad53
-
SHA1
4105fcd1aa84a84e00f1ef0407b27f421197ae65
-
SHA256
482559cc18c7643abbb36012d13dc66fbd0314577e70cd41fefe6c9a16f822a5
-
SHA512
33074741f9c4c6d1147648b76000e3acf7bb52490895c1787766900d79099eb7f7a28ecf42a7b2ada5ded09501df6f152ceff2a6f8b9d4a9d00c06120cc67f98
-
SSDEEP
6144:Ksy+bnr+ep0yN90QEQuZ55nMQ2J9rTNI2gMt0cnnU/xnBCiso6U7xdTuL+Exrv7M:0Mruy90j+TfjgMtLnU/5B3soXyrvEJ
Malware Config
Extracted
redline
dion
217.196.96.101:4132
-
auth_value
6e0b6a3255923968b15f61a2c040c5c9
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 6 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 39 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\482559cc18c7643abbb36012d13dc66fbd0314577e70cd41fefe6c9a16f822a5.exe"C:\Users\Admin\AppData\Local\Temp\482559cc18c7643abbb36012d13dc66fbd0314577e70cd41fefe6c9a16f822a5.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7028377.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7028377.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1886458.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1886458.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l9947814.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l9947814.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m4405639.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m4405639.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe" /F4⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c3912af058" /P "Admin:N"&&CACLS "..\c3912af058" /P "Admin:R" /E&&Exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:N"5⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:R" /E5⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\c3912af058" /P "Admin:N"5⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\c3912af058" /P "Admin:R" /E5⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exeC:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
209KB
MD5bb0d33b89cb94e78f48be10d3ddf63d8
SHA157df09357d65e6c4c0a120329540b072e8d235cb
SHA25685e07974bfcb82c6c26eecc3879f2704deebf6d4d8101d27dc82044c5c3ebbf2
SHA512cc220e5698ee184067b8a7108997571f2eeb421db913ce55dacc27dee665c94d0a76bc2bdab30b37761c48327077c2485c9e1528ded1e2f8c2a0a400cb85d3e6
-
Filesize
209KB
MD5bb0d33b89cb94e78f48be10d3ddf63d8
SHA157df09357d65e6c4c0a120329540b072e8d235cb
SHA25685e07974bfcb82c6c26eecc3879f2704deebf6d4d8101d27dc82044c5c3ebbf2
SHA512cc220e5698ee184067b8a7108997571f2eeb421db913ce55dacc27dee665c94d0a76bc2bdab30b37761c48327077c2485c9e1528ded1e2f8c2a0a400cb85d3e6
-
Filesize
307KB
MD5a28d43a192a708f00691e86355a77c39
SHA17202917da52a3acaa96720cdc5e483e4abc108e3
SHA256a8ec428bf9de9ef2bd87b167ec4c14ed8f4b9b42756bd9c1297f7e2f7999422b
SHA5129ba4039cf91a2bc4d521c475837475c75a3fc157f08ec16aba4833b76a0f732cef03f31ab8647274dcd5f7e0467920d513ded6d44361d4780128d8b744d76a60
-
Filesize
307KB
MD5a28d43a192a708f00691e86355a77c39
SHA17202917da52a3acaa96720cdc5e483e4abc108e3
SHA256a8ec428bf9de9ef2bd87b167ec4c14ed8f4b9b42756bd9c1297f7e2f7999422b
SHA5129ba4039cf91a2bc4d521c475837475c75a3fc157f08ec16aba4833b76a0f732cef03f31ab8647274dcd5f7e0467920d513ded6d44361d4780128d8b744d76a60
-
Filesize
178KB
MD54003c9332c9b1a59b9e6dec30da3cd03
SHA1b75aebf10d9396ce3c9baee06382595801821842
SHA256b9f97cca9589f577a3ddab07712de42bf4d4f8e4b50aa1e9dcd68070eb9a0e70
SHA512fbc9cf3198afe3d3ff01da47d681b24c1c44cb59f5f951a7872813f5a023ab716c2790aca74eb462a0eabef25adaeb1f7f3e2eeced01b344cc2ac3d58052111d
-
Filesize
178KB
MD54003c9332c9b1a59b9e6dec30da3cd03
SHA1b75aebf10d9396ce3c9baee06382595801821842
SHA256b9f97cca9589f577a3ddab07712de42bf4d4f8e4b50aa1e9dcd68070eb9a0e70
SHA512fbc9cf3198afe3d3ff01da47d681b24c1c44cb59f5f951a7872813f5a023ab716c2790aca74eb462a0eabef25adaeb1f7f3e2eeced01b344cc2ac3d58052111d
-
Filesize
168KB
MD521bddeddad9ad55ba99229590853db55
SHA125863b746961be03cd6b3bb67462389e0d906b94
SHA256fc709efc2d9efa57c50b8aea63d67b70861869862c4c812913ad16274f2edbcc
SHA5129b00b285deae6160596f50d5850789e4945848f94e4a9bfe51ebea40fa2cb07452a7d780129064747ebcdcba983b833b7c6fc1b6c6d997aa0070d5ad23760193
-
Filesize
168KB
MD521bddeddad9ad55ba99229590853db55
SHA125863b746961be03cd6b3bb67462389e0d906b94
SHA256fc709efc2d9efa57c50b8aea63d67b70861869862c4c812913ad16274f2edbcc
SHA5129b00b285deae6160596f50d5850789e4945848f94e4a9bfe51ebea40fa2cb07452a7d780129064747ebcdcba983b833b7c6fc1b6c6d997aa0070d5ad23760193
-
Filesize
209KB
MD5bb0d33b89cb94e78f48be10d3ddf63d8
SHA157df09357d65e6c4c0a120329540b072e8d235cb
SHA25685e07974bfcb82c6c26eecc3879f2704deebf6d4d8101d27dc82044c5c3ebbf2
SHA512cc220e5698ee184067b8a7108997571f2eeb421db913ce55dacc27dee665c94d0a76bc2bdab30b37761c48327077c2485c9e1528ded1e2f8c2a0a400cb85d3e6
-
Filesize
209KB
MD5bb0d33b89cb94e78f48be10d3ddf63d8
SHA157df09357d65e6c4c0a120329540b072e8d235cb
SHA25685e07974bfcb82c6c26eecc3879f2704deebf6d4d8101d27dc82044c5c3ebbf2
SHA512cc220e5698ee184067b8a7108997571f2eeb421db913ce55dacc27dee665c94d0a76bc2bdab30b37761c48327077c2485c9e1528ded1e2f8c2a0a400cb85d3e6
-
Filesize
209KB
MD5bb0d33b89cb94e78f48be10d3ddf63d8
SHA157df09357d65e6c4c0a120329540b072e8d235cb
SHA25685e07974bfcb82c6c26eecc3879f2704deebf6d4d8101d27dc82044c5c3ebbf2
SHA512cc220e5698ee184067b8a7108997571f2eeb421db913ce55dacc27dee665c94d0a76bc2bdab30b37761c48327077c2485c9e1528ded1e2f8c2a0a400cb85d3e6
-
Filesize
209KB
MD5bb0d33b89cb94e78f48be10d3ddf63d8
SHA157df09357d65e6c4c0a120329540b072e8d235cb
SHA25685e07974bfcb82c6c26eecc3879f2704deebf6d4d8101d27dc82044c5c3ebbf2
SHA512cc220e5698ee184067b8a7108997571f2eeb421db913ce55dacc27dee665c94d0a76bc2bdab30b37761c48327077c2485c9e1528ded1e2f8c2a0a400cb85d3e6
-
Filesize
1.8MB
-
Filesize
64KB
-
Filesize
320KB
-
Filesize
408KB
-
Filesize
584KB
-
Filesize
472KB
-
Filesize
240KB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
1.0MB
-
Filesize
6.1MB
-
Filesize
192KB
-
Filesize
5.2MB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
5.6MB
-
Filesize
64KB